Lucene search

GitHub_MCVELIST:CVE-2023-38688

HistoryAug 04, 2023 - 4:18 p.m.

CVE-2023-38688 twitch-tui's connection is not encrypted

2023-08-0416:18:15

CWE-311

GitHub_M

www.cve.org

twitch-tui

unencrypted communication

potential token sniffing

irc servers

tls

vulnerability

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

28.3%

JSON

twitch-tui provides Twitch chat in a terminal. Prior to version 2.4.1, the connection is not using TLS for communication. In the configuration of the irc connection, the software disables TLS, which makes all communication to Twitch IRC servers unencrypted. As a result, communication, including auth tokens, can be sniffed. Version 2.4.1 has a patch for this issue.

CNA Affected

[
  {
    "vendor": "Xithrius",
    "product": "twitch-tui",
    "versions": [
      {
        "version": " < 2.4.1",
        "status": "affected"
      }
    ]
  }
]

References

github.com/Xithrius/twitch-tui/blob/340afc3c8c07a83289fe6ef614aa7563c8b70756/src/twitch/connection.rs#L23

github.com/Xithrius/twitch-tui/commit/74d13ddca35f8f0816f4933c229da1fd95c0350a

github.com/Xithrius/twitch-tui/security/advisories/GHSA-779w-xvpm-78jx

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

28.3%

JSON

Related for CVELIST:CVE-2023-38688